CryBrazil
CryBrazil or CRYbrazil is a ransomware that runs on Microsoft Windows. It was discovered by MalwareHunterTeam. It is part of the HiddenTear family. It is aimed at Portuguese-speaking and Brazilian users. Payload Transmission CryBrazil is distributed by hacking through an insecure RDP configuration, using email spam and malicious attachments, fraudulent downloads, exploits, web injects, fake updates, repackaged and infected installers. Infection CryBrazil encrypts the user's files using AES, and then demanding a ransom payment in exchange for the decryption tool needed to restore the contents of the affected file. CryBrazil will scan the victim's drives in search of the user-generated files, which can include numerous file types, including media files and numerous document types. The files that are commonly compromised in attacks like CryBrazil include: .3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip. CryBrazil will rename the files it enciphers by adding the file extension '.crybrazil' to each affected file's name. CryBrazil delivers a ransom note to the victim's computer once the files are encrypted. This ransom note is delivered through several means. CryBrazil will change the affected PC's desktop wallpaper picture, using a JPG file named 'ranso4.jpg' that contains CryBrazil ransom note text written in Portuguese, accompanied by a picture of a clown. The ransom note states the following: Ele que é o palhaço, mas sou eu quem põe fogo no circo. ATENÇÃO CRIANÇAS! Todos os seus arquivos foram criptografados, para recuperá-los de volta entre em contato: LOSALPHAGROUP@PROTONMAIL.COM This translates to: He is a clown, but it was me who set fire to the circus. ATTENTION OF CHILDREN! All your files are encrypted to get them back, please contact us: LOSALPHAGROUP@PROTONMAIL.COM CryBrazil's ransom note simply states that the victim should contact the criminals via email (losalphagroup@protonmail.com) to receive information about recovering the affected files. The CryBrazil Ransomware also drops its ransom note in the form of an HTML file named 'SUA_CHAVE.html,' which contains the same text as its desktop image. If the user opens the link themselves, then instead of the ransomware site with ransom requirements or with a certain key, a redirect to random sites with an advertisement rotator will open. This is because this site is now offline. Perhaps this is how profreehost.com hosting is trying to make money on abandoned or disabled sites. Note that the contents of these sites can be dangerous. It can redirect the user to the fake Adobe Flash Player, such as Flash Player Update! or Flash Play is out of date scam. Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Trojan Category:Assembly